Indiana Code 24-15-3-1. Personal data; consumer rights; consumer’s request to controller; compliance by controller; consumer’s right to appeal
Terms Used In Indiana Code 24-15-3-1
(1) To confirm whether or not a controller is processing the consumer’s personal data and, subject to the limitations set forth in subdivision (4), to access such personal data.
(2) To correct inaccuracies in the consumer’s personal data that the consumer previously provided to a controller, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data. Upon receiving a request from a consumer under this subdivision, a controller shall correct inaccurate information as requested by the consumer, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data.
(3) To delete personal data provided by or obtained about the consumer.
(4) To obtain either:
(A) a copy of; or
(B) a representative summary of;
the consumer’s personal data that the consumer previously provided to the controller. Information provided to a consumer under this subdivision must be in a portable and, to the extent technically practicable, readily usable format that allows the consumer to transmit the data or summary to another controller without hindrance, in any case in which the processing is carried out by automated means. The controller has the discretion to send either a copy or a representative summary of the consumer’s personal data under this subdivision, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data. A controller is not required to provide a copy or a representative summary of a consumer’s personal data to the same consumer under this subdivision more than one (1) time in a twelve (12) month period.
(5) To opt out of the processing of the consumer’s personal data for purposes of:
(A) targeted advertising;
(B) the sale of personal data; or
(C) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
(c) Except as otherwise provided in this article, a controller shall comply with a request by a consumer to exercise a consumer right set forth in subsection (b) as follows:
(1) A controller shall respond to the consumer without undue delay, but in any case not later than forty-five (45) days after receipt of the consumer’s request under this section. The response period prescribed by this subdivision may be extended once by an additional forty-five (45) days when reasonably necessary, taking into account the complexity and number of the consumer’s requests, as long as the controller informs the consumer of any such extension within the initial forty-five (45) day response period, along with the reason for the extension.
(2) If a controller declines to take action regarding the consumer’s request, the controller shall inform the consumer without undue delay, but in any case not later than forty-five (45) days after receipt of the consumer’s request under this section, of the justification for declining to take action, and shall provide instructions for how to appeal the decision under subsection (d).
(3) Information provided in response to a consumer request shall be provided by a controller free of charge, up to one (1) time annually per consumer. If requests from a consumer are manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive, or repetitive nature of the request.
(4) If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under this section and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer’s request.
(5) A controller that has obtained personal data about a consumer from a source other than the consumer is considered to comply with a request by the consumer under subsection (b)(3) to delete the consumer’s personal data if the controller:
(A) retains:
(i) a record of the consumer’s request for deletion; and
(ii) the minimum data necessary to ensure that the consumer’s personal data remains deleted from the controller’s records; and
(B) does not use the data retained under clause (A)(ii) for any other purpose.
(d) A controller shall establish a process for a consumer to appeal, within a reasonable period of time after the consumer’s receipt of a decision by the controller under subsection (c)(2), the controller’s refusal to take action on a request by the consumer under this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to invoke a right under this section. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the attorney general to submit a complaint.
As added by P.L.94-2023, SEC.1.